About CUPI Authentication and Authorization

CUPI uses the same authentication and authorization scheme that the administration console uses. This means that the objects an administrator has access to when authenticated are determined by the roles to which the administrator is assigned.

CUPI authenticates by using standard HTTPS and Basic authentication, so that credentials can be passed by using typical mechanisms to send username and password via HTTP headers.

Authentication Rules API

In Cisco Unity Connection, the authentication rules govern user passwords, PINs, and account lockouts for all user accounts. You use the authentication rules to secure how users access Unity Connection by phone, and how users access Cisco Unity Connection Administration and the Cisco Personal Communications Assistant (Cisco PCA).

For example, an authentication rule determines:

The number of failed sign-in attempts that are allowed before an account is locked.

The number of minutes an account remains locked before it is reset.

Whether a locked account must be unlocked manually by an administrator

The minimum length allowed for passwords and PINs.

The number of days before a password or PIN expires.

Administrator can use this API to create/update/delete/fetch the authentication rules. You can update various attributes of authentication rule using this API.

Listing the Authentication Rules

The following is an example of the GET request that fetch the list of authentication rules:

GET https://<connection-server>/vmrest/authenticationrules

The following is the response from the above *GET* request and the actual response will depend upon the information given by you:

Explanation of Data Fields

The length of time (in minutes) after which if no failed logon attempts occur, the count of failed logon attempts is cleared.

The value of the HackResetTime field should be in the range of 1-120 minutes.
Default Value: 30 minutes

locationobjectid

Read Only

String(36)

The unique identifier of the Location object to which this credential policy belongs.

The default value is the delivery location for this virtual machine system.

locationURI

Read Only

Strings

Specifies the URI of locations

LockoutDuration

Read/Write

Integer

The length of time (in minutes) that a user who is locked out must wait until they can attempt to access the system again with this credential.

The value should be in the range of 0-1440 minutes. A value of "0" means the user is locked out until the credential/account is unlocked by an administrator.
Default Value: 30 minutes

MaxDays

Read/Write

Integer

The maximum number of days before the credential must be changed.

The default value is 180 days when creating a credential policy associated with user accounts that do NOT have administrative access or privileges (i.e., normal user account with voice mail subscription).
The default value is 120 days when creating a credential policy associated with user accounts that have administrative access and privileges.
The value of the MaxDays field should be in the range of 0-3563 days. A value of "0" means the credential will never expire.

MaxHacks

Read/Write

Integer

The maximum number of failed logon attempts (hacks) before action is taken. If number of invalid attempts increase this limit, account will lockout.

The value of this field should be in the range of 0-100. A value of "0" means an unlimited number of logon attempts (i.e., no lockout) are allowed.
Default Value: 3 number

MinLength

Read/Write

Integer

The minimum number of characters or digits (PIN) required for the password. The value of this field should be in the range 1-64.

A value of "0" means a blank credentials, that is no password or PIN is allowed.
Default Value: 8 characters

PrevCredCount

Read/Write

Integer

Stores the specified number of previous credentials for a user and compares a new credential with them. The new password shall not match with the old ones given in the history.

The value of this field should be in the range of 0-25.
Note: If blank credentials are allowed, then this field is ignored.
Default Value: 8 number

If enabled, Unity Connection will verify that the credential meets the criteria as specified by the type of credential:
Password (GUI):

The password must contain at least three of the following four characters: an uppercase character, a lowercase character, a number, or a symbol.

The password cannot contain the user alias or its reverse.

The password cannot contain the primary extension or any alternate extensions.

A character cannot be used more than three times consecutively (for example, !Cooool).

The characters cannot all be consecutive, in ascending or descending order (for example, abcdef or fedcba).

PIN (TUI):

PIN cannot match the numeric representation of the first or last name of the user.

PIN cannot contain the primary extension or alternate extensions of the user.

PIN cannot contain the reverse of the primary extension or alternate extensions of the user.

PIN cannot contain groups of repeated digits, such as "408408" or "123123."

PIN cannot contain only two different digits, such as "121212."

A digit cannot be used more than two times consecutively (for example, "28883").

PIN cannot be an ascending or descending group of digits (for example, "012345" or "987654").

PIN cannot contain a group of numbers that are dialed in a straight line on the keypad when the group of digits equals the minimum credential length that is allowed (for example, if 3 digits is allowed, the user could not use "123," "456," or "789" as a PIN).

DisplayName

Read/Write

String(64)

The unique text name (example, "Administrator Password Policy") of the credential policy to be used when displaying entries in the administrative console, e.g. Cisco Unity Connection Administration.

MinDuration

Read/Write

Integer

The minimum number of minutes that must pass from the time of the last change before the credential can be changed.

The range of this field can vary from 0 to 129600 minutes. A value of "0" means that there are no restrictions on how often the user can change the credential.
Default Value: 1440 minutes.
Note: The minimum duration between credential changes is specified in minutes while the expiry warning days is expressed in terms of days.

ExpiryWarningDays

Read/Write

Integer

The number of days prior to the expiration of a credential when Unity Connection begins prompting a user to change their credential upon logon, until the change is made. The ExpiryWarningDays field should be set lesser than the MaxDays field as the warning must occur before expiration.

A value of "0" means that a user will not be prompted to change their credential prior to its expiration.
Default Value: 15 days